i p s e t
play

i p s e t Proceedings of NetDev 1.1: The Technical Conference on - PowerPoint PPT Presentation

Jul 31, 2023 •485 likes •863 views

i p s e t Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) a t o o l f o r f a s t e r , m o r e e ffj c i e n t fj r e w a l l i n g w i t

  1. i p s e t Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) a t o o l f o r f a s t e r , m o r e e ffj c i e n t fj r e w a l l i n g w i t h i p t a b l e s J ó z s e f K a d l e c s i k < k a d l e c @b l a c k h o l e . k fl i . h u > M T A Wi g n e r F K Netdev 1.1, Seville

  2. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) C h a l l e n g e s t o fj r e w a l l i n g w i t h i p t a b l e s ● L a r g e n u m b e r o f r u l e s – R u l e e v a l u a t i o n i s l i n e a r ● O fu e n c h a n g e d r u l e s – i p t a b l e s m u s t h a n d l e t h e w h o l e t a b l e Netdev 1.1, Seville

  3. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) R u l e s ● F o c u s o n fj l t e r i n g – E x o t i c m a t c h e s , t a r g e t s a r e n o t c o m m o n ● T y p i c a l r u l e s – A l l o w / d e n y a s e r v i c e a t a g i v e n s e r v e r , o p t i o n a l l y l i m i t e d t o g i v e n c l i e n t s – A l l o w / d e n y a s e r v i c e f o r a c l i e n t m a c h i n e , o p t i o n a l l y l i m i t e d t o g i v e n s e r v e r s Netdev 1.1, Seville

  4. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) I p p o o l ● 2 0 0 0 : J o a k i m A x e l s s o n : b i t m a p t y p e ● 2 0 0 1 - 2 0 0 2 : J o a k i m A x e l s s o n , P a t r i c k S c h a a f a n d M a r t i n J o s e f s s o n : m o d u l a r , b i t m a p a n d m a c i p m a p t y p e s Netdev 1.1, Seville

  5. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) I p p o o l I I . ● 2 0 0 3 - 2 0 0 4 : p a t c h e s f r o m m e ● 2 0 0 4 : P a t r i c k S c h a a f : R e g a r d i n g b a c k w a r d s c o m p a t i b i l i t y , m y v o t e w o u l d b e n o t t o c a r e , a n d n a m e t h e n e w t h i n g w i t h a n e w n a m e . P r o p o s a l : i p s e t ● 2 0 1 1 : i p s e t 6 . x Netdev 1.1, Seville

  6. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) I p s e t I . ● D a t a s e t s w h i c h c a n s t o r e g i v e n c o m b i n a t i o n s o f d a t a t y p e s – I P ( v 4 / v 6 ) a d d r e s s , n e t b l o c k – M A C a d d r e s s – P r o t o c o l a n d p o r t n u m b e r / t y p e – I n t e r f a c e n a m e – M a r k v a l u e – S e t n a m e ● K e r n e l A P I Netdev 1.1, Seville

  7. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) I p s e t I I . ● D ● S i fg e r e n t s t o r a g e m e t h o d s : e t d i m e n s i o n – B i t m a p – b i t m a p : i p – H a s h – h a s h : i p , p o r t – L i s t – h a s h : i p , p o r t , i p ● S e t e l e m e n t e x t e n s i o n s : – T i m e o u t – C o u n t e r s – C o m m e n t – S k b i n f o Netdev 1.1, Seville

  8. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) U s e r s p a c e t o o l ● ipset : - ) ● M i n i m a l d e p e n d e n c y – l i b m n l ● C o m m a n d l i n e s y n t a x s i m i l a r t o ip – B a c k w a r d c o m p a t i b i l i t y k e p t w i t h o l d e r i p s e t s y n t a x Netdev 1.1, Seville

  9. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) C o m m a n d k e y w o r d s ● Wh o l e s e t : – c r e a t e , d e s t r o y , l i s t , s a v e , r e s t o r e , fm u s h , r e n a m e , s w a p ● S e t e l e m e n t : – a d d , d e l , t e s t ● S i n g l e l e tu e r e q u i v a l e n t s Netdev 1.1, Seville

  10. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) C r e a t e a n d a d d , d e l , t e s t s y n t a x ● C r e a t e a s e t : m e t h o d , d a t a t y p e s m u s t b e s p e c i fj e d – m e t h o d : d a t a _ t y p e [ , d a t a _ t y p e [ , d a t a _ t y p e ] # ipset create test hash:ip,port,ip ● A d d / d e l e t e / t e s t e l e m e n t : c o m p o n e n t s i n t h e g i v e n o r d e r m u s t b e s p e c i fj e d # ipset add test 192.168.1.1,udp:53,8.8.8.8 # ipset test test 192.168.1.1,udp:53,8.8.8.8 Netdev 1.1, Seville

  11. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) B i t m a p m e t h o d ● C o n t i n u o u s b i t v e c t o r w h e r e e v e r y b i t r e p r e s e n t s o n e a d d r e s s f r o m a r a n g e o f a d d r e s s e s : I P v 4 a d d r e s s = B a s e I P v 4 a d d r e s s + b i t p o s i t i o n ● C a n b e g e n e r a l i z e d t o s u p p o r t t o s t o r e – S a m e s i z e I P v 4 n e t b l o c k s – I P v 4 + M A C a d d r e s s p a i r s – M A C a d d r e s s e s s t o r e d i n a n o t h e r d a t a v e c t o r – T C P o r U D P p o r t n u m b e r s ● L i m i t e d t o 6 5 5 3 6 e l e m e n t s ( / 1 6 ) Netdev 1.1, Seville

  12. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) b i t m a p : i p ● S t o r e I P v 4 a d d r e s s e s f r o m a r a n g e ipset n set1 bitmap:ip range 10.0.0.0-10.0.0.255 ipset a set1 10.0.0.1 ipset a set 10.0.0.5-10.0.0.15 ● S t o r e s a m e s i z e I P v 4 n e t b l o c k s ipset c set2 bitmap:ip 0.0.0.0/0 netmask 16 ipset a set2 10.1.0.0 # 10.1.0.0/16 ipset a set2 10.7.0.0 # 10.7.0.0/16 Netdev 1.1, Seville

  13. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) b i t m a p : i p , m a c ● S t o r e I P v 4 a n d M A C a d d r e s s p a i r s – S o u r c e M A C a d d r e s s e s o n l y – C a n b e a d d e d w i t h o u t M A C a d d r e s s , fj r s t m a t c h w i l l fj l l o u t M A C ipset c set3 bitmap:ip,mac 192.168.0.0/16 ipset a set3 192.168.1.1,00:01:23:45:67:89 ipset a set3 192.168.1.2 Netdev 1.1, Seville

  14. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) H a s h i n g ● M a p d a t a s p a c e i n t o a fj x e d d a t a s p a c e , w h e r e t h e a l g o r i t h m m u s t b e – D e t e r m i n i s t i c s – U n i f o r m ● L i n u x k e r n e l – j h a s h ● C o l l i s i o n h a n d l i n g – T y p i c a l l y l i n k e d l i s t s Netdev 1.1, Seville

  15. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) H a s h m e t h o d ● H a s h s i z e i s f o r c e d t o p o w e r o f t w o , f o r s p e e d ● C o l l i d e d e l e m e n t s a r e s t o r e d i n a r r a y s i n s t e a d o f l i n k e d l i s t s – 4 - 1 2 x e l e m s i z e – 1 2 x e l e m s i z e a r r a y f u l l : g r o w h a s h Netdev 1.1, Seville

  16. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) h a s h : i p ● S t o r e r a n d o m I P a d d r e s s e s ipset n set4 hash:ip hashsize 1024 ipset a set4 10.1.1.1 ipset a set4 192.168.168.168 ● A l s o , c a n s t o r e s a m e s i z e n e t b l o c k s ipset n set5 hash:ip family inet6 netmask 64 ipset a set5 2001:2001:2001:: ipset a set5 2001:2001:abcd:: Netdev 1.1, Seville

Recommend

More recommend